forked from anujith-singh/db-archiver
-
Notifications
You must be signed in to change notification settings - Fork 0
headobject apifix #1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
nit-practo
wants to merge
1
commit into
master
Choose a base branch
from
s3_path_headobject_fix
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The purpose of the method is to check if the file exists in s3, if so then the caller appends variable version to the fiel name.
If there is no access then the method should raise exception as it was earlier.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
boto returns 403 when we check for the existence of file (if it does not exist)
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbiddencc : @justjkk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to this stackoverflow answer, s3 returns 403 instead of 404 if the ListBucket access is not present. In our case, the ListBucket access was present but restricted to a folder. I checked and found that the restriction was using
StringEqualsinstead ofStringLikewhich was preventing the ListBucket call from succeeding when applied on any path other than the top-level folder. I fixed the IAM permissions and it is now returning 404 as expected. However, it still makes sense to treat 403 also as a not found and not require the ListBucket permission.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Final working IAM permissions for reference:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<bucket-name>", "Condition": { "StringLike": { "s3:prefix": "<db-name>/*" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": "arn:aws:s3:::<bucket-name>/<db-name>/*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "s3:ListBucketMultipartUploads", "Resource": "arn:aws:s3:::<bucket-name>" } ] }Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@justjkk @nit-practo the problem with treating 403 as 404 is:
If the IAM user does not have list/read access but has write access (unlikely but techinically possible) then
check_if_s3_file_exists()will returnFalseget_usable_s3_path()will end up returning the path it just examinedupload_to_s3()will end up overriding the file with a new version, which defeats the entire purpose ofcheck_if_s3_file_exists()Since as Kishore mentioned this is not a blocking problem any more(which we presumed earlier), we should update the ReadMe to have this document and call it done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@anujith-singh agreed with your reasoning.